Published: Monday, 27 October 2025.
Prepared by: Adam Skupien, Vulnerability Security Analyst
Microsoft has released an out-of-band update to address a critical unauthenticated remote code execution vulnerability (CVE-2025-59287) in Windows Server Update Services (WSUS).
This flaw allows attackers to execute arbitrary code with SYSTEM privileges by sending crafted data to vulnerable WSUS servers.
A proof-of-concept exploit has been publicly released, and exploitation has been observed in the wild.
The Australian Cyber Security Centre (ACSC) and the Cybersecurity and Infrastructure Security Agency (CISA) have both issued alerts urging immediate patching due to the high likelihood of exploitation.
On 14 October 2025, Microsoft disclosed a critical remote code execution vulnerability (CVE-2025-59287) in Windows Server Update Services (WSUS). The flaw stems from unsafe deserialisation of untrusted data, allowing an unauthenticated attacker to execute arbitrary code with SYSTEM privileges over the network. The vulnerability affects Windows Server 2012 through 2025 installations that have the WSUS role enabled, while systems without WSUS are not impacted. Microsoft assigned a CVSSv3.1 9.8 (Critical) rating and marked exploitation as “More Likely.”
On 22 October 2025, HawkTrace published a proof-of-concept (PoC) exploit for CVE-2025-59287, demonstrating the feasibility of unauthenticated remote code execution against unpatched WSUS servers.
On 23 October 2025, Microsoft released an out-of-band hotfix to address the vulnerability across all supported Windows Server versions (2022 and 2025). Due to the critical risk and potential for remote code execution, Microsoft also issued security updates for several out-of-support editions, including Windows Server 2012 through 2019, extending coverage beyond their normal support lifecycle to ensure broad protection against exploitation.
On 24 October 2025, Eye Security published a report confirming observed exploitation in the wild following the release of public proof-of-concept code. The research also provided a list of Indicators of Compromise (IOCs), which will be detailed further in this bulletin to assist with detection and monitoring.
On 24 October 2025, CISA issued an advisory urging organisations to apply Microsoft’s updates immediately and isolate WSUS servers from untrusted networks.
On 25 October 2025, ACSC released its own Critical alert urging that Australian organisations prioritise patching and consult Microsoft's Security Update for mitigation advise.
Attackers can exploit unsafe deserialisation in WSUS to gain unauthenticated remote code execution with SYSTEM-level privileges, resulting in full host compromise and potentially enabling data theft, lateral movement, and supply-chain manipulation of Windows updates.
Apply patches immediately
Deploy Microsoft’s out-of-band security updates released on 23 October 2025 to all servers running the WSUS role, and reboot systems after installation to ensure the fix is applied.
If patching is delayed
Disable the WSUS role temporarily to eliminate exposure.
Block inbound TCP 8530/8531 to prevent remote exploitation.
Limit WSUS access to trusted management networks only until updates can be deployed.
On 24 October 2025, Eye Security detected unusual EDR telemetry on a customer WSUS host — whoami.exe was observed executing with w3wp.exe as the parent process, and IIS/WSUS logs contained a SOAP request with a base64 serialised payload. Those initial indicators prompted immediate isolation and analysis, which revealed a ysoserial gadget + embedded portable executable (PE) and led Eye Security to publish their findings and IOCs.
Indicators of Compromise (reported by Eye Security)
SoapUtilities.CreateException ThrowException: actor = https://host:8531/ClientWebService/client.asmx — error observed in SoftwareDistribution.log after exploitation.
AAEAAAD/////AQAAAAAAAAAEAQAAAH9 — fragment of the serialised base64 payload found in SoftwareDistribution.log.
207.180.254[.]242 — Virtual Private Server (VPS) IP from which the exploit was sent.
ac7351b617f85863905ba8a30e46a112a9083f4d388fd708ccfe6ed33b5cf91d — SHA256 of the embedded MZ payload.
Search WSUS and IIS logs (including SoftwareDistribution.log and ClientWebService/client.asmx access logs) for the Indicators of Compromise (IOCs) listed above. Where possible, integrate these searches into your Security Information and Event Management (SIEM) platform for continuous monitoring.
Ingest the IOC values (log strings, IP addresses, and file hashes) into your SIEM or detection tooling to identify potential exploitation attempts.
Ensure Endpoint Detection and Response (EDR) and SIEM agents are deployed on all WSUS servers.
Configure IIS, WSUS, and Windows Event logs to forward to a central SIEM for correlation and alerting.
Implement detection rules for:
Unusual or oversized SOAP requests to WSUS endpoints (ClientWebService/client.asmx).
Unexpected child processes spawned by w3wp.exe (e.g., whoami.exe, cmd.exe, or powershell.exe).
Suspicious network traffic on TCP 8530/8531 from untrusted or external sources.
WSUS servers should not be internet-facing. Restrict external access and ensure these systems are only reachable from trusted internal management networks.
Triskele Labs Managed Detection and Response (MDR) customers are actively monitored for indicators related to this activity. Clients under the Vulnerability Scanning service are being assessed for exposure to CVE-2025-59287.
